catherine_s

Secure Communication Paths in Apache Drill 1.10

Blog Post created by catherine_s on Mar 16, 2017

Apache Drill 1.10 features five secure communication paths:

  1. Web client to drillbit
  2. C++ client to drillbit
  3. Java client to drillbit
  4. Java client and drillbit to ZooKeeper
  5. Drillbit to storage plugin

To read more about Drill security, check out Securing Drill - Apache Drill.

Drill secure communication paths

 

Security features for each communication path are described below.

 

Web Client to Drillbit 

The Web Console and REST API clients are web clients. Web clients can:

  • Submit and monitor queries
  • Configure storage plugins

Impersonation and authorization are available through the web clients only when authentication is enabled. Otherwise, the user identity is unknown.

 

FeatureDescription
AuthenticationUsers authenticate to a drillbit with a username and password form authenticator. By default, authentication is disabled.
ImpersonationDrill acts on behalf of the user on the session. This is usually the connection user (or the user that authenticates). This user can impersonate another user, which is allowed if the connection user is authorized to impersonate the target user based on the inbound impersonation policies (USER role). By default, impersonation is disabled.
AuthorizationQueries execute on behalf of the web user. Users and administrators have different navigation bars. Various tabs are shown based on privileges. For example, only administrators can see the Storage tab and create/read/update/delete storage plugin configuration.

 

Java and C++ Clients to Drillbit

Java (native or JDBC) and C++ (native or ODBC) clients submit queries to Drill. 

 

FeatureDescription
AuthenticationUsers authenticate to a drillbit using Kerberos, Plain (username and password through PAM), or a custom authenticator (username and password). By default, user authentication is disabled.
ImpersonationDrill acts on behalf of the user on the session. This is usually the connection user (or the user that authenticates). This user can impersonate another user. This is allowed if the connection user is authorized to impersonate the target user based on the inbound impersonation policies (USER role). By default, impersonation is disabled.
AuthorizationA user can execute queries on data that he/she has access to. Each storage plugin manages the read/write permissions. Users can create views on top of data to provide granular access to that data. The user sets read permissions to appropriate users and/or groups. System-level options can only be changed by administrators (USER role). By default, only the process user is an administrator. This is available if authentication is enabled.

 

Drill Client and Drillbit to ZooKeeper

Drill clients and drillbits communicate with ZooKeeper to obtain the list of active drillbits. Drillbits store system-level options and running query profiles.

 

FeatureDescription
AuthenticationNot fully supported.
AuthorizationDrill does not set ACLs on ZooKeeper nodes (znode).
EncryptionNot fully supported. See the ZooKeeper SSL User Guide for related information.

 

Drill to Hive Storage Plugin

The planner accesses the Hive Metastore for metadata. During execution, query fragments scan data from Hive using the Hive storage plugin.

 

FeatureDescription
AuthenticationDrillbit is a client to the Hive Metastore. Authentication options include Kerberos and DIGEST. By default, authentication is disabled.
ImpersonationWhile accessing Hive Metastore, Hive impersonation setting in the storage plugin configuration overrides Drill’s impersonation setting. While scanning data in Hive, Drill impersonation is applied.
AuthorizationDrill supports SQL standard-based authorization and storage-based authorization.

Outcomes